Skip to content

Instantly share code, notes, and snippets.


Pedram Amini pedramamini

View GitHub Profile
pedramamini / 20200730-emotet.txt
Created Jul 31, 2020
Emotet samples from 7/30/2020 with VT score (out of ~60) and InQuest score (out of 10).
View 20200730-emotet.txt
00077dbdfe4e79c38048d2060cb90ea2bdd50cc346a45bae87ea6093ddb02321 vt=25 iq=9
0039413ea9580579720c262bf207d64bacac7b1c93056c8b5fa2f2347714b096 vt=27 iq=9
005307ad7426c4c1b014c27f51ba5c0ad2ca752195099a7378e3d622cdf7a2d6 vt=29 iq=9
007fc402dd61e8222bb4fd1214544b0a620f622aaa186b1bd5a2207613fdd558 vt=28 iq=9
00812e8bf247cc4740941ed973f367678110761be944eef39e69217fc78412cb vt=25 iq=9
00884a49002e25be473b8704fa9935f7cfcbb2d4bf75dc4fa054f16019eac82d vt=24 iq=9
00dd0eb0c5acbcc376a26eb4f974187be2bac8a4e9c00876faa23d656953fa53 vt=28 iq=9
014e0bfbd01c796a79ea0324177bf7bb89e6e1d7dccd58008d62024f1bbcfe5d vt=27 iq=9
01663b94d847370d937c017344092fb204b3fef3bca2c0d26c9f49ebac946525 vt=29 iq=9
0195eda6f0dbf03b6fa7c2689f538bb998ce4cc533fd7117c956c7c5c2f62437 vt=27 iq=9
View xor201_macro.vba
' Our comments are prefixed with the string "[InQuest]". Other comments are preserved originals from the macro.
' The sample is available for download from InQuest Labs:
' Examining the OLE directory structure with oledump:
' $ 12d21da9bd0f7d877e04e59ad347b0e8787124c9f0ec170a913451acfb14a3b6
' 1: 146 '\x01CompObj'
' 2: 6 '\x03ObjInfo'
import sys
if len(sys.argv) != 2:
sys.stderr.write("usage: %s <input path>\n" % sys.argv[0])
path = sys.argv.pop()
data1 = []
data2 = []
data3 = []
pedramamini /
Last active Mar 16, 2019
Carve files out of a blob.
#!/usr/bin/env python
# source:
import os
import re
import sys
import errno
import string
# debug output.
pedramamini / disable_ddeauto.reg
Created Oct 20, 2017 — forked from wdormann/disable_ddeauto.reg
Disable DDEAUTO for Outlook, Word, and Excel versions 2010, 2013, 2016
View disable_ddeauto.reg
Windows Registry Editor Version 5.00
pedramamini / XProtect.yara
Created Oct 19, 2017
Apple OSX built in file defense is powered by YARA: /System/Library/CoreServices/XProtect.bundle/Contents/Resources
View XProtect.yara
import "hash"
private rule Macho
description = "private rule to match Mach-O binaries"
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
pedramamini /
Created Aug 19, 2016 — forked from williballenthin/
generate a yara rule that matches the basic blocks of the current function in IDA Pro
IDAPython script that generates a YARA rule to match against the
basic blocks of the current function. It masks out relocation bytes
and ignores jump instructions (given that we're already trying to
match compiler-specific bytes, this is of arguable benefit).
If python-yara is installed, the IDAPython script also validates that
the generated rule matches at least one segment in the current file.
author: Willi Ballenthin <>
pedramamini /
Last active Apr 22, 2016
Stock Market Games... these are from 2008.
import sys
import thax
import datetime
y =
my_adds = ["ALU", "AMZN", "CMG", "COMS", "DCA", "PLA", "PZZA", "RICK", "UA", "VMW"]
sp_500 = ["BBT", "BDX", "BBBY", "BMS", "BBY", "BIG", "BIIB", "BJS", "BDK", "HRB", "BMC", "BA", "BXP", "BSX", "BMY", "BRCM", "BF.B", "BNI", "CHRW", "CA", "COG", "CAM", "CPB", "COF", "CAH", "CCL", "CAT", "CBG", "CBS", "CELG", "CNP", "CTX", "CTL", "CF", "SCHW", "CHK", "CVX", "CB", "CIEN", "CI", "CINF", "CTAS", "CSCO", "CIT", "C", "CTXS", "CLX", "CME", "CMS", "COH", "KO", "CCE", "CTSH", "CL", "CMCSA", "CMA", "CSC", "CPWR", "CAG", "COP", "CNX", "ED", "STZ", "CEG", "CVG", "CBE", "GLW", "COST", "CVH", "COV", "CSX", "CMI", "CVS", "DHI", "DHR", "DRI", "DVA", "DF", "DE", "DELL", "DDR", "DVN", "DTV", "DFS", "D", "RRD", "DOV", "DOW", "DPS", "DTE", "DD", "DUK", "DYN", "ETFC", "EMN", "EK", "ETN", "EBAY", "ECL", "EIX", "EP", "ERTS", "EQ", "EMC", "EMR", "ESV", "ETR", "EOG", "EFX", "EQR", "EL", "EXC", "EXPE", "EXPD", "ESRX", "XOM", "FDO", "FAST", "FII", "FDX", "FIS", "FITB
pedramamini /
Created May 20, 2015
Extract URLs and related contact information from your OSX database.
#!/usr/bin/env python
# Extract URLs and related contact information from your OSX database.
# - automatically resolve username and discover contacts database (by largest item count if there is more than one).
# - make a machine parseable format.
# - keep track of last found URL (by hash?), allow for periodic run of script and addition to output.
# - update to latest gruber regex.
pedramamini /
Last active Aug 29, 2015
Blaze your way through Tinder (the dating app).
#!/usr/bin/env python
blaze through tinder
- proxy / sniff out your auth token and edit constant under imports.
- API may have changed.
- it's hard coded to search for girls looking for guys.
- this was a quick hack, i'm not maintaining it or answering questions about it.
You can’t perform that action at this time.